IBM Support

PM72843: UNABLE TO ADD ADDITIONAL SPNEGO HOSTNAME FILTERS WITHIN EXISTING SECURITY DOMAIN

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When Spnego is configured within security domain only and
    working, if there is a need to add an additional SPN. After you
    update the keytab, and then proceed to adminconsole to add the
    new hostname entry it will not be found.
    
    This happens because when a new hostname is being added,
    WebSphere code doesn't set the location of krb5.ini/conf file,
    as a result, it is loaded from the default location. Here is a
    trace snippet:
    ------------------------------
    000000da SystemOut     O   [JGSS_DBG_PROV]
    WebContainer : 0 getFactory: index = 1 found factory caller =
    com.ibm.security.jgss.GSSCaller@52bb90dd
    000000da SystemOut     O   [KRB_DBG_CFG]
    Config:WebContainer : 0:   Config name: /etc/krb5.conf
    000000da SystemOut     O   [JGSS_DBG_CRED]
    WebContainer : 0 Name cannonicalization complete, resulting name
    string=HTTP/[email protected]
    ------------------------------
    
    As you can see the default operating system location of
    krb5.conf file and kerberos realm name (EXAMPLE.COM), as a
    result, it also didn't read right keytab file.
    
    The exception thrown is this:
    ------------------------------
    GSSException
    SourceId:com.ibm.ws.security.auth.kerberos.admintask.
    validateKrb5Spn ProbeId:1190
    Reporter:com.ibm.ws.security.auth.kerberos.
    admintask.SpnegoCommandProviderImpl@ef3d1bdd
    org.ietf.jgss.GSSException, major code: 13, minor code: 0
            major string: Invalid credentials
            minor string: Kerberos error getting credential from
    JAAS Subject: {0}
            at
    com.ibm.security.jgss.i18n.I18NException.throwGSSException
    (I18NException.java:34)
            at com.ibm.security.jgss.mech.krb5.x.b(x.java:6)
            at com.ibm.security.jgss.mech.krb5.x.a(x.java:379)
    ------------------------------
    

Local fix

  • 1) Remove the security domain, recreate and configure spnego,
    starting with a keytab that contains all the SPN entries you
    need. You will then be able to add all the corresponding
    hostname filters.
    
    2) Configure spnego in global security instead of in a security
    domain.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Modifications in krb5.conf or keytab    *
    *                      file might not be honored during        *
    *                      runtime.                                *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Although WebSphere Application Server is designed to honor a
    newly configured parameter in krb5.conf file or keytab file
    during runtime, there was a scenario which is not the case.
    

Problem conclusion

  • With this fix, the security code was modified to reload
    krb5.conf file and keytab files in order to honor the latest
    value prior to validating whether the given SPN name is valid.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.0.2.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM72843

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-09-13

  • Closed date

    2012-10-02

  • Last modified date

    2012-10-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 November 2021